How safe is it to perform authentication in the client side

jithinks · June 22, 2019, 8:46am

I’m developing an app which is kind of like a forum. Users can post comment. A comment can be edited by only the owner of the comment. For doing this

the logic is

if(Meteor.userId() === comment.userId) {
forum.comment = updatedComment
Meteor.call(‘update-forum’, forum)
}

Is it safe what I’m doing here? Should I shift the authentication logic to the server side?

minhna · June 22, 2019, 9:36am

It’s fine but remember to make a double check on the server.

jithinks · June 22, 2019, 11:42am

I’m checking if the user is authenticated at the server side, but is it necessary that I make this particular check again in the server, i.e Meteor.userId() === comment.userId?

minhna · June 22, 2019, 4:48pm

Yes, you need to check it again in server.